The threat hunter's guide to securing the enterprise

You're already breached. Here's how to track down attackers on your network before they wreak havoc

It's time to face facts: Attackers are stealthy enough to evade your monitoring systems. If you're sitting back waiting for alarms to go off, there's a good chance you're already hosed.

Despite spending more than $75 billion on security products and services, enterprises are frequently compromised, highly sensitive data is stolen, and the fallout can be devastating. Worse, enterprises don't discover they've been breached for weeks to months after initial compromise, taking between 120 to 200 days on average to even detect an attack. That's a six-month head start on reconnaissance and exploitation -- more time on your network than most of your recent hires.

Needless to say, existing approaches to threat detection aren't working. It's time to strap on your threat hunting gear and proactively look for malicious activity in your environment. Here's a plan to track down threats.

Hunt in your own backyard

Threat hunting, or cyberhunting, is a set of technologies and techniques that can help you find bad actors before they cause too much damage to your environment. Although threat hunting can involve both manual and machine-assisted techniques, the emphasis is on investigators looking at all the pieces in context and uncovering relationships, says David Bianco, a security technologist at Sqrrl Data.

Security automation can help collect data from network and endpoint segments, and machine learning can speed up analysis, but in the end, it's up to you to assemble a series of diverse threat hunting activities into a comprehensive process for sleuthing out your adversaries, says Kris Lovejoy, president and CEO of Acuity Solutions and former general manager of IBM Security Services.

"Threat hunting is a defensive process, not an offensive one," Lovejoy adds.

While a successful hunt requires you to think like a hacker, that doesn't mean you should be tracing attacks back to the originating machine, immersing yourself in Dark Web forums, or engaging in questionable practices to uncover potential issues. That may be the case for investigators and hunters from the U.S. Department of Defense or the Federal Bureau of Investigation, but cyberhunting is purely defensive in the enterprise. You hunt by forming hypotheses about how an attacker can get into your network, then you look for evidence within your environment to prove or disprove those hypotheses.

Build a baseline of knowledge

Assessing security risk is a central facet of threat hunting, and the process can be split into three phases. First, you must understand the threats most likely to target your organization, whether they be persistent adversaries, particular sets of malware, or a certain type of attack. Second, you must identify your vulnerabilities, such as unpatched software or processes susceptible to human error. Third, you must assess the impact a successful threat may have in targeting your vulnerabilities. Once you can calculate these risks, you can then prioritize your threat hunting activities to target them.